A new ransomware strain that was discovered in early May 2023 has shown a strong resemblance to Royal ransomware. This new strain BlackSuit, primarily targets Linux systems and Windows. Further analysis from cybersecurity company Trend Micro, shows that BlackSuit and Royal ransomware are almost identical in functions, blocks, and jumps.
BlackSuit operates using a double extortion method, which is a common strategy employed by many ransomware groups. The ransomware also employs OpenSSL’s AES encryption process. However, it also incorporates additional command-line arguments and avoids encrypting specific files with certain extensions during the encryption process. The emergence of BlackSuit and its similarities to Royal underscores the ever-evolving nature of the ransomware ecosystem.
There were speculations that the Royal ransomware group was planning to rebrand under a new name following pressure from law enforcement after targeting IT systems in the City of Dallas, Texas. In May, a new ransomware operation called BlackSuit was discovered, leading to belief that it was the rebranded version of Royal. However, a rebranding did not occur, and Royal is still actively conducting attacks while using BlackSuit in limited instances. Cybersecurity professional Yelisey Boguslavskiy, states that the Royal group consists of over 60 cybersecurity experts who were part of the original Conti group or recruited from other elite ransomware groups. They employ both Royal and BlackSuit ransomware. Boguslavskiy suggests that Royal may be testing BlackSuit as a new encryptor or BlackSuit may be a new subgroup of the Royal ransomware family.
While the specific use of BlackSuit remains to be seen, it has been observed in a small number of attacks. BleepingComputer has documented at least three attacks involving the BlackSuit encryptor, with ransoms currently below $1 million. The BlackSuit operation currently has one victim listed on their data leak site, but this could change at any given moment if the encryptor becomes more commonly used. It is advised that network defenders remain cautious as this new operation is linked to the expertise of the Royal group, known for breaching networks and deploying their encryptors. The true nature of BlackSuit, whether a failed experiment or the start of a new subgroup, remains to be seen.